infoTECH Feature

September 20, 2016

New Business Models Address Printer Security Concerns

By Special Guest
Christoph Schell, President of the Americas at HP

It’s startling to think that the printer, the every-day office appliance we rely on so heavily, could be the gateway for a security breach that could bring an institution to its knees, but that’s precisely what’s been happening. The integration of printers into increasingly sophisticated document management workflows makes them a critically important, yet often-overlooked link in a corporation’s global security chain, if the right measures are not taken.

In late March of 2016, printers on campuses across the country began spewing anti-Semitic flyers after a well-known hacker used a freely available tool to scan and seek out vulnerable devices that could be accessed. And last year, researchers in Singapore took innovative hacking to new heights by attaching a mobile phone to a drone to intercept files being sent to a Wi-Fi-enabled printer – on the thirtieth floor of an office building. 

Figure 1: “I probe around for a multifunction printer and see that it is configured with default passwords. Great, I am in…” Peter Kim, penetration tester, hacker, author.

The drone-based attack was enacted as a research project on corporate vulnerabilities and the printer was chosen specifically because it is so often overlooked. Once penetrated, software re-directed print files to a mobile phone, instead of the printer.

The vulnerability of printers comes in stark contrast to the extremes to which vigilant companies are going to enhance security, from network setup to where information is stored in the cloud and also the degree to which IT departments are working to secure the multitude of mobile devices accessing the network. Given that printers are also networked and can be used as a Trojan horse to access a network, clearly there is an on-going disconnect.

Still, a Spiceworks (News - Alert) study of IT professionals showed printers at the bottom of the list of security concerns at 18 percent. PCs were at the top at 91 percent and mobile devices and servers shared second place at 77 percent. This, despite security threats rising by 48 percent annually and the average cost of a data breach estimated at $7.7 million with 92 percent of companies reporting some level of data breaches.

Specific to printers, a Ponemon Institute study in October of 2015 showed that 64 percent of IT managers report likely printer malware infection, and 60 percent had a printer data breach. 

Figure 2: If not properly managed, a printer has many vulnerabilities that expose not only corporate networks and data, but also the data of anyone who has used that printer for personal files, such as home mortgage applications.

Interestingly, many office workers choose to use their office printers to print out personal information, from mortgage applications to resumes. Yet few, if any, realize that printers also have quite powerful storage drives that may or may not be protected. Even if they are protected in the office environment, when it comes to disposing of the printer for a new one, the data on the drive or memory bank may well fall into unintended hands if proper disposal procedures are not followed.

Security Must Evolve With Business Models

Fortunately, print vendors are doing their part to boost security via sophisticated security features in the printer hardware and offering additional managed security software and services as add-on options. These options can include data encryption, incremental user authentication and pull print solutions, fleet-wide device security management and reporting capabilities to comply with government regulatory requirements. And to address resource challenges, providers can supply consulting with security experts and managed print services to help businesses develop & maintain a customized print security management plan.

In addition, enterprise and small business printing models are transitioning to a more comprehensive and efficient document workflow management system known as printing-as-a-service. In lieu of an asset that must be paid for up front as part of capital expenditure (capex), the concept of “managed print services” offers the advantage of users paying only per printed page, moving printing from capex to operational expenditure (opex), which is treated very differently from a P&L point of view and provides much more flexibility. To date, this subscription-based model has been shown to reduce printing costs up to 50 percent.

Two other advantages of this model, where the printing service provider and the company work collaboratively, are that the focus shifts to ensuring printing is done in the best possible way in terms of format and colors, and that workflows such as invoicing and payments can be automated. With the right print partner, printers can be connected to the cloud and automate supplies replenishment to ensure that customers never run out of supplies at the wrong time.

From a security point of view, these new business models align perfectly with the need to reduce the likelihood of a breach in that a document workflow management partner may be able to bring to the table expertise in security acquired from PC development and many years in the trenches making PCs, wireless devices and printers work together.

“Advisory councils” can assess a company’s security risks and implement a strategy that focuses on the 3 Ds of printer security risk management: Device, Data and Documents.

As mentioned earlier, the internal hard drive can be a loophole, but so too can the network interface card (NIC (News - Alert)) and the BIOS firmware. The control panel is open to misuse or malicious re-configuration if not password-protected and output trays are notoriously vulnerable to confidential documents being left exposed.

The device should include BIOS protection features such as Secure Boot, which prevents the execution of malicious code during boot-up. Additional features, such as SureStart, automatically reboot the system if it is attacked or corrupted. Beyond the BIOS, the firmware should include whitelisting, and features like run-time intrusion detection can detect attacks on memory.  Company-wide, a good fleet management system should be able to recognize and fix any affected device security setting to ensure they comply with company security policies, as well as compliance regulations and the requirements of a company’s clients, particularly if that client is a government entity with a high level of clearance. 

Figure 3: While there is a lot that can be done to ensure a printer and its network are secure, educating the workforce on best practices can pay long-term dividends.

Code validation and reboot protect the device itself from cyberattacks, but implementing best practices across the workplace is critical. A good assessment by experts will help, but some things to keep in mind include not leaving documents unattended, not leaving portable media attached to printers, and for personal security, and being wary of printing personal documents on a corporate printer. If someone makes off with that printer, it’s not just a few hundred dollars of equipment that has fallen into the wrong hands.

Of course, the printing-as-a-service and automated supplies  fulfillment model is advantageous to individual consumers as well, where, for example, a user pays a flat fee for a certain number of printed pages. Instead of worrying about the cost of cartridges, the focus shifts to simply ensuring printing is done right the first time, and there is never a mad rush to the store to purchase replacement ink.

About the Author

Christoph Schell is President of the Americas Region for HP Inc. In this role, Christoph is responsible for the go-to-market strategy and overall financial performance of the Americas business across all products, services and go-to-markets. Reach the author at @christophschel.




Edited by Alicia Young
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers